Wifi/Mobile block rules independent of Isolate

[ignoramous]

A user says,

in next update pls allow use isolate or lockdown mode together with firewall

Bcs some user like me are want filter those suspicious ip but want to block them from using wifi or data thanks

[ignoramous]

Spoke with Hussain, and we've decided to instead make global rules per-app which makes things easier to reason about: https://github.com/celzero/rethink-app/issues/720

That is, users would be able to select per-app which of the "global" rules apply to the app, instead of a blanket "Bypass (all) Universal (rules)".

[CICS-Starter]

Allowing some of the current Global rules on a per app basis is a great idea and would be a welcome addition to RDNS. But, I don't think this will address the users issue. The user wants to be able to specify an app to be isolated AND also restricted to either metered or unmetered. The UI currently does not allow this.

[ignoramous]

The user wants to be able to specify an app to be isolated AND also restricted to either metered or unmetered.

This extends from the work needed to be done to make universal rules per-app. It will happen, but also know that this change is likely to happen slowly over a number of releases as it really gets into the guts of the firewall... (:

[CICS-Starter]

Sure, totally understand that this is something that is non trivial and will take some time to implement.

Maybe this should be reopened so that it doesn't get forgotten. Also, since this not really related to global bypass the name should be change to something like "Wifi/Mobile block rules independent of Isolate"

[ignoramous]

global bypass the name should be change to something like "Wifi/Mobile block rules independent of Isolate"

Ah, see what you mean. Done. Thanks.

[opk12]

What is the functional difference between Isolated and blocked on both wifi + mobile?

Are they actually worth to be different states? As Isolate makes wifi and mobile gray instead of red, I thought there was some subtle magic, and stayed away from it, now I'm switching a lot of apps from blocked on both to Isolate and they seem to be blocked the same.

[ignoramous]

What is the functional difference between Isolated and blocked on both wifi + mobile?

Please see: https://www.reddit.com/r/rethinkdns/comments/11vxyp6/the_6_icons_in_apps/

[Terrance]

Having stared at the firewall rules screen for a bit and read the breakdown linked above, it seems like the modes could be improved by merging Isolate and Blocked, such that the wi-fi and mobile toggles each switch between Allow and Isolate?

In effect, this is permitting the existing Blocked state to be overridden by allow rules, which feels more intuitive to me -- it's not particularly obvious with a network type blocked that an allow rule will have no effect.

The default state of Isolate with no rules is to block everything anyway. I have "Block newly installed apps by default" enabled, which could similarly set apps to Isolate by default. I think the only change in behaviour would then be with universal bypass rules, which would become allowed under Isolate logic, but that can be worked around by adding a block rule to an app that shouldn't have it, or by adding a new universal rule along the lines of "Ignore universal bypass rules when blocked".

[ignoramous]

such that the wi-fi and mobile toggles each switch between Allow and Isolate?

This is how it was before... and folks said they instead wanted finer toggles :D

it's not particularly obvious with a network type blocked that an allow rule will have no effect.

I see. I think we should simply disable the UI that lets users set per-app rules when the app is blocked?

I have "Block newly installed apps by default" enabled, which could similarly set apps to Isolate by default.

We've thought about this, but then it confused people even more as "Isolate" is something you only see in Rethink (and not in other Firewall apps). Also: "Isolate" is a power-user feature... and a power-user will figured out one way or the other to use the features they want to, anyway.

I think the only change in behaviour would then be with universal bypass rules, which would become allowed under Isolate logic

Sorry, I don't follow. In general, per-app domain / IP rules can never be overriden by Universal (global) domain / IP rules; ie, if per-app domain / IP rules block / trust (allow) then regardless Universal (global) rules, that per-app rule will be applied.

[Terrance]

For the avoidance of doubt, I'll clarify the current and proposed options -- at present, looking at the top row (Unmetered, Metered, Isolate), the following combinations are possible:

• allow unmetered, allow metered
• allow unmetered, block metered
• block unmetered, allow metered
• block unmetered, block metered
• isolate unmetered, isolate metered

What I'm missing in my workflow is "isolate unmetered, block metered", so that I can prevent use of limited mobile data whilst also applying firewall rules on unmetered networks. Including Isolate as a per-network option would give the following additional combinations:

• allow unmetered, isolate metered
• block unmetered, isolate metered
• isolate unmetered, allow metered
• isolate unmetered, block metered

I then asserted that Isolate with no rules is effectively the same as Block, which means Block can be dropped (use Isolate instead), which would reduce the full set of states to:

• allow unmetered, allow metered
• allow unmetered, isolate metered
• isolate unmetered, allow metered
• isolate unmetered, isolate metered

---

Now to the follow-ups 🙂

such that the wi-fi and mobile toggles each switch between Allow and Isolate?

This is how it was before... and folks said they instead wanted finer toggles :D

If you'd rather keep both Block and Isolate, that's fine -- UI-wise perhaps the Unmetered / Metered buttons could cycle through the three states (Allow, Block, Isolate) instead?

I think we should simply disable the UI that lets users set per-app rules when the app is blocked?

You could, but to me there's a weird asymmetry in that Allow mode processes block rules but Block mode doesn't process Allow rules -- it's Isolate that has the symmetrical behaviour here by processing rules but blocking by default, and if the main toggle was between Allow and Isolate then the per-app rules would always be active.

"Isolate" is something you only see in Rethink (and not in other Firewall apps)

For what it's worth, I migrated from NetGuard to Rethink, which I'd count as a firewall app and also does DNS rules in a similar fashion. It has allow and deny modes as proposed above, though I'd say it is an app probably targeted towards power users exclusively (but of course you don't have to fiddle with per-app DNS rules).

In general, per-app domain / IP rules can never be overriden by Universal (global) domain / IP rules

Agreed; the note I was making was if Isolate were to replace Block, there wouldn't be a "strong" per-app block rule, just the implicit block by default of isolation, so it becomes ambiguous how that would interact with universal bypass.

Currently, if you add a universal allow rule for a domain, the result is block when set to Block on the appropriate network, but allow when an app is set to Isolate? If this is sufficient to keep a dedicated Block state indepedent of Isolate then so be it; another option is to have a per-app/global option for controlling this behaviour.